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Background 

DOD Agency Responsible for Interpretation and 
Enforcement 

• Security Control Development 

• Document Drafting and Approval 

• Testing of Security Controls 

• Enforcement 

• The fun stuff... gaps in security controls 



Background /Disclaimer 



• What kind of data are we talking about? 

National Industrial Security Program (NISP) Executive 
Order 12829 1 

• National Industrial Security Program Policy Advisory 
Committee (NISPPAC) 

National Industrial Security Program Operating Manual 
(NISPOM) 



1. DoD 5220. 22-M "National Industrial Security Program: Operating Manual." 



DOD Agency Responsible for 
Interpretation and Enforcement 



• The Defense Security Service (DSS) 
Agency Structure 

Directorates (IS, CI, DISCO, and CDSE) 
ODAA 
• Field Offices 



Basics of Certification and 
Accreditation (C&A) 



What is C&A? L > 2 - 

• Certification 
Accreditation 
ISSP role 

• RDAA role 

• Enough background on the DSS, lets get into security 
controls 

1. Industrial Security Field Operations (ISFO) Process Manual for the 
Certification and Accreditation Of Classified Systems under the National 
Industrial Security Program Operating Manual (NISPOM) and NIST 800-53. 

2. Master System Security Plan (MSSP) Template for Peer-to-Peer Networks. 



Security Controls 



• Where do they originate 
from? 

Linux controls 1 
Audit Areas 
/bin 



2./usr/bin 
/etc 

4. /sbin 

5. /usr/sbin 



6./var/audit 
/usr/local 

8. /opt 

9. /home 



1. ISL 2007-01 



Security Controls cont. 



Linux cont. 1 ' 2 - 
DISA STIG vs NISPOM/DSS ISL 



1. Standardization of Baseline Technical Security Configurations. 

2. UNIX: Security Technical Implementation Guide. 



DISA STIG 


DSS NISPOM/ISL 


The SA will ensure audit data files have 
permissions of 640, or more restrictive. 


(2) Audit Trail Protection. The contents of audit trails 
shall be protected against unauthorized access, 
modification, or deletion. 


- Logon (unsuccessful and successful) and logout 
(successful) 


(b) Successful and unsuccessful logons and logoffs. 


- Process and session initiation (unsuccessful and 
successful) 


(a) Enough information to determine the date and 
time of action (e.g., common network time), the 
system locale of the action, the system entity that 
initiated or completed the action, the resources 
involved, and the action involved. 


- Discretionary access control permission 
modification (unsuccessful and successful use of 
chown/chmod) 


N/A 


- Unauthorized access attempts to files (unsuccessful) 


(c) Successful and unsuccessful accesses to security- 
relevant objects and directories, including creation, 
open, close, modification, and deletion. 


- Use of privileged commands (unsuccessful and 
successful) 


■VI /A 

N/A 


- Use of print command (unsuccessful and successful) 


N/A 


- Export to media (successful) 


N/A 


- System startup and shutdown (unsuccessful and 
successful) 


fhl /A 

N/A 


- Files and programs deleted by the user (successful 
and unsuccessful) 


N/A - Unless it's considered a "Security Relevant 
Object 


- All system administration actions 


(d) Changes in user authenticators. 


- All security personnel actions 


N/A 



Standardization of Baseline Technical Security Configurations. 
UNIX: Security Technical Implementation Guide. 



ISL 2009-01 and Windows 
Baseline Standards 



• ISL 2009-01 1 

• Standardization of Baseline Technical Security Configurations 
- March 2009 

• This process manual is not directive in nature, but 
adherence to the standards in this process manual by NISP 
contractors is recommended in order for DSS to be able to 
expeditiously issue Interim Approvals to Operate (IATO) and 
Approvals to Operate (ATO). 

• FISMA(NIST 800-53) -June 2011 

• Linux left out (must be super secure on its own) 

1. Standardization of Baseline Technical Security Configurations. 



ISFO Manual Updates (Summary of 
Changes) 1 

Finally 14 character passwords required for all systems 
and 60 day change reqs. 

• Patching is addressed now, in a semi-ambiguous way in 
section 5.2.8.1 

• The ISSM will identify ISs containing software affected 
by recently announced software flaws (and potential 
vulnerabilities resulting from those flaws). The ISSM 
will install security-relevant software upgrades (e.g., 
patches, service packs, and hot fixes). Flaws discovered 
during security assessments, continuous monitoring, 
incident response activities, or information system 
error handling, are also addressed expeditiously. 

1. ISFO Process Manual Revision 3: Summary of Changes. 



ISFO Manual Updates (Summary of 
Changes) 1 

USB Drives Addressed... sorta. 
Audit requirements expanded on 

1. Enough information to determine the action involved, the date 
and time of the action, the system on which the action occurred, 
the system entity that initiated or completed the action, and the 
resources involved (if applicable). 

2. Successful and unsuccessful logins and logoffs. 

3. Unsuccessful accesses to security-relevant objects and 
directories. 

4. Changes to user authenticators. 

5. The blocking or blacklisting of a user ID, terminal, or access 
port. 

6. Denial of Access from an excessive number of unsuccessful 
login attempts. 



1. ISFO Process Manual Revision 3: Summary of Changes. 



ISFO Manual Updates (Summary of 
Changes) cont. 1 



• Security Seals... 

Approved tamper-proof, pre-numbered seals should be used on 
hardware components (to include monitors and keyboards) 
anytime the hardware may be subject to access by uncleared 
personnel (i.e. used for periods-processing, or relocation). 



1. ISFO Process Manual Revision 3: Summary of Changes. 



Document Drafting and Approval 



ISFO Process Manual and Standardization 
Documents drafting 

Linux document development, and its death. 



Security Setting Testing 



Inadequate Labs 
•Test Resources Limited 



Enforcement 



• The Special Agent 

• The 0080 (Industrial Security Specialist) and 2210 
Specialties (IT Specialist) 

• Training and authority 

• Subjectivity 



Enforcement cont 



• Inspection selection and process 
Size of facility and complexity 
• "Partners with Industry" 
What happens if non-compliance 



Inadequate Controls 
Windows 



• Patching 1 
USB 

Virtual Environments 

• UAC 

• Admin actions not audited 

• Classified data not audited 

• Tamper Controls 



1. Standardization of Baseline Technical Security Configuratio 



Inadequate Controls - *nix 



Lack of expertise and training in agency leads to ostrich 
effect. 1 

Job listings do not require any Unix or Linux experience. 

• List is too long to list of files/services/versions that are 
not addressed. 

Make it easy on themselves and use one of the configuration 
guides already in use. 

• Auditing Rules not required to be in use in Red Hat... 
really? 

1. Standardization of Baseline Technical Security Configurations. 



Inadequate Controls- *nix cont 



Same issues affecting Windows, affect the Unix/Linux 
environment as well. 1 

• Patching 

• USB 

Virtualized Environments 

• Auditing 

• Tamper Controls 



1. Standardization of Baseline Technical Security Configurations. 



Wrap-up 



• So... why the talk? 

• Education... how many actually know how the U.S. 
protects classified data at the collateral level? 

Enlightenment 

• I think it's important to bring issues that are 
detrimental to the nations security to the forefront. 
These issues have been brought up to the agency, 
and ignored. 

STUXNETand Flame... 
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